GraphWorm
GraphWorm is a backdoor used by the China-aligned threat actor Webworm, also tracked as Space Pirates and UAT-8302. Public reporting in 2026 states that Webworm introduced GraphWorm in its 2025 campaigns targeting government organizations in Belgium, Italy, Poland, Serbia, Spain, and activity involving a university in South Africa. GraphWorm uses Microsoft Graph API and Microsoft OneDrive as its command-and-control channel, allowing it to retrieve tasks and upload victim information while blending traffic with legitimate cloud activity. It is described as a Go-based backdoor in reporting, and a sample named C2OverOneDrive_v0316.exe was detected by ESET as Win32/Agent.VWD. The published SHA-1 for that sample is 77F1970D620216C5FFF4E14A6CCC13FCCC267217.
Reported capabilities include persistence by executing whenever the victim logs in and by modifying Windows registry Run keys; creation of a unique victim identifier derived from network adapter IP, processor ID, and a physical device serial number obtained through WMI; creation of a separate OneDrive folder per victim with subfolders such as /files, /result, and /job for staging and tasking; file upload and download; spawning a new cmd.exe session or executing newly created processes; configurable sleep intervals; and stopping its own execution on operator signal. Reporting also states that GraphWorm writes command output to beaconshelloutput.txt and uses the Microsoft Graph API createUploadSession endpoint to upload large staged files to OneDrive. Data protection behavior described in the reporting includes AES-256-CBC encryption via OpenSSL EVP calls followed by base64 encoding. Reverse-engineering details cited in the content note Visual Studio 2019 source paths including AutoStart.cpp, BaseInfo.cpp, and Beacon.cpp, a build tag v0316, OneDrive call sites, and an OAuth refresh_token literal, which corroborate its Microsoft Graph and OneDrive C2 role at the binary level.
GraphWorm is part of a broader Webworm toolset that also includes EchoCreep, WormFrp, ChainWorm, WormSocket, and SmuxProxy. The content does not provide a confirmed initial infection vector for GraphWorm specifically; reporting says the delivery mechanism and initial access pathway for EchoCreep and GraphWorm were unknown at the time.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Hacker News, “Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API” (May 2026).
According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm. GraphWorm relies on Microsoft Graph API and OneDrive endpoints to retrieve tasks and upload victim information.
According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm. GraphWorm relies on Microsoft Graph API and OneDrive endpoints to retrieve tasks and upload victim information.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
3 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
GraphWorm and EchoCreep use encryption and encoding techniques to obfuscate data.
Defense Impairment
1 technique
Defense Impairment
Discovery
1 technique
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
Command and Control
8 techniques
Command and Control
EchoCreep backdoor using Discord for C&C. ... GraphWorm backdoor using the Microsoft Graph API for C&C.
EchoCreep backdoor using Discord for C&C. ... GraphWorm backdoor using the Microsoft Graph API for C&C.
WormFrp, ChainWorm, WormSocket, SmuxProxy, and GraphWorm have the capability to connect to external proxies.
EchoCreep and GraphWorm use Discord and the Microsoft Graph API for C&C infrastructure.
This confirms the actor delivers tools through operator-controlled open directories, not mass-mail or drive-by chains.
EchoCreep, GraphWorm, and WormSocket make use of base64 encoding.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor referenced in reporting about Webworm using Discord and Microsoft Graph API for command and control.
A more advanced custom backdoor used by Webworm that leverages Microsoft Graph API for C2, can spawn cmd.exe, execute processes, upload/download files via Microsoft OneDrive, and stop its own execution on operator signal.
A Go-based backdoor that uses Microsoft Graph API and OneDrive as its command-and-control channel, creating victim-specific folders to receive tasks, upload/download files, execute shell commands via cmd.exe, and return command output while blending into legitimate cloud traffic.
A backdoor that persists at logon and uses Microsoft Graph API, specifically OneDrive, for command retrieval and data exfiltration. It supports shell execution, process execution, file transfer, configuration updates, and encrypted communications.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.